S£p-05-2007 13:59 KRPMER 8, AMADO, P.C. 703 5199802 P 

* Application No: 10/730,926 
j Attorney's Docket No: ALC3106 

I CLAIM AMENDMENTS 

This listing of claims will replace all prior versions and listings of claims in the 

V 

! 

I application. 

Listing of Claims 

* — 

1, (Currently Amended) A method of tracking-back ajingle malicious data packet in a 
! connection-oriented communication network, comprising the steps of: 

a) for a given time window (Time Period) extending over a configurable time period . 
■ computing a «siq«e flow identifier (Flowld) for uniquely identifvin g e ach paolc e t of a given flow 

\ seen by a router interface (Incoming Link) at a network node; 

: b) inserting said Flowld into a data structure associated to said Time Period and said 

-i Incoming Link, available at said network node; 

c) storing said data structure in a searchable repositor y at said network node : 

d) repeating steps a) to c) for a next Time Period and for each Incoming /w/q gute£ 

\ interface at said network node, for all packets seen at respective router interfaces over successive 

I 

time windows, for populating said data repository with a plurality of data structures, each 
associated to a respective time period and a one of said respective router interfaces ; 

e) determining the time of arrival X of said singlemalicious packet at said network node 
\ and computing Flowld for sai d single malicious packet; and 

'i' f) identifying said Incoming Link for said single malicious packet by searching for the 

Flowld of said jingle malicious packet in all data structures for said network node that cover the 
r . time of arrival X. 

k 

! -2. 

i 
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3. (Currently Amended) The method of claim 1, further comprising tracing-back hop by 
hop the source of said single packet from said router, by performing steps e) and f) for each 
network node along the path of sai d single malicious packet. 

4. (Original) The method of claim 1, wherein step a) is based on flow definition adopted for 
said network. 

5. (Original) The method of claim 1, wherein step a) comprises applying a specified 
function to one or more header fields of each packet received in said flow. 



6. (Original) The method of claim 1, wherein step a) comprises applying a specified 
function to one or more header fields of each packet received in said flow and an incoming 
interface identification parameter. 

7. (Original) The method of claim 1, wherein step a) comprises applying a specified 
function to one or more characteristics of each packet. 
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8. (Original) The method of claim 1, wherein step a) comprises applying a specified 
function to one or more characteristics of each packet received in said flow and an incoming 
interface identification parameter. 

9. (Original) The method of claim 1, wherein said data structure is a hash table based on a 
Bloom filter. 

10. (Original) The method of claim 1, wherein said searchable repository is maintained for 
each router interface at said network node. 

11. (Original) The method of claim 10, wherein said searchable repository stores all said 
data structures for all router interfaces at said network node, 

12. (Original) The method of claim 1, wherein said searchable database is a centralized 
searchable repository maintained for said network, 

13. (Currently Amended) A method of tracking-back a single malicious data packet in a 
connection-oriented communication network, comprising the steps of: 

a) for a given time window (Time Period) extending over a configurable time period , 
computing a flow identifier (Flowld) for uniquely identifying a given flowa -flpw seen by a router 
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interface (Incoming Link) at a network node based on a flow characterization parameter obtained 

from a flow management system; 

b) inserting said Flowld into a data structure, associated to said Time Period 
and said Incoming Link, available at said network node; 

c) storing said data structure in a database that is a centralized searchable repository, 

d) repeating steps a) to c) for a next Time Period and for each Incoming link at said 
network nod e, for all packets seen at respective router interfaces over successive time windows, 
for populating said data repository with a plurality of data structures, each associated to a 
respective time period and a one of said respective router interfaces : and 

e) finding in said searchable repository the Incoming Link for sai d single malicious packet 
based on a Flowld and a time of arrival X of sai d single malicious packet 

. 14. (Currently Amended) A system for tracking-back a single m alicious data packet in a 
connection-oriented communication, comprising: 

means for computing a unique-flow identifier Flowld for each pack e t of a 
fle wuniquelv identifying a given flow seen by a router interface (Incoming Link) at a network 
node over a given period of time (Time Period) extending over a configurable time period : 

means for inserting said Flowld into a data structure associated to said 
Time Period, and said Incoming Link available for said network node; 

a database that is a centralized searchable repository for storing said data structure; and 

a search engine for finding in said searchable repository the Incoming Link 



PAGE 10/20 ' RCVD AT 9/512007 1:56:07 PM [Eastern Daylight Time] * SVR:USPTO€FXRF-5/4 " DNIS:2738300 * CS1D:703 5199802 4 DURATION (mm-ss):07-36 



SEP-05-2&07 13=59 



KRPMER a GMADO, P.O. 



703 5199802 P. 



I Application No: 10/730,926 

I Attorneys Docket No: ALC3106 

? for said single.malicio\is packet based on a Flowld and a time of arrival X of said malicious 

<>. 

I packet, 

* 

15. (Currently Amended) The system of claim 14 further comprising a flow-based 
; monitoring system for tracking back hop-by-hop the source of sai d single malicious packet. 

x 

[• 16. (Original) The system of claim 14, wherein one said searchable repository is maintained 

t for each interface at said network node. 

? ■ 

i 17. (Original) The system of claim 14, wherein one said searchable repository is maintained 

j for said network node- 

i ■ 

i 

P 

i 1 8. (Original) The system of claim 14, wherein said searchable repository is a centralized 

\ database maintained 1 for said network. 



19. (Original) The system of claim 14, further comprising a flow based monitoring system 
for providing a flow characterization parameter to said means for calculating. 

20. (Original) The system of claim 14 further comprising a flow management system for 
generating a flow characterization parameter. 
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21 , (Original) The system of claim 20, wherein said means for computing is a Flowld 
calculator for computing said Flowld form one or more of packet header fields, packet 
characterization parameters and interface identification information. 

22. (Original) The system of claim 20, wherein said means for computing is a Fhwld 
calculator for computing said Fhwld form packet header information. 
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